Skip to main content



Find us on

facebook youtube flickr twitter itunes u logo

Upcoming Events

Sal Stolfo

Salvatore J. Stolfo Columbia University
A Brief History of Symbiote DefenseTuesday, October 31st
Rockefeller 003
5:00 PM

 Fright Night Imge

Wanna See Something REALLY Scary?
ISTS Looks at the Dark Web on Halloween Night
Tuesday, October 31st
Sudikoff  045 Trust Lab (dungeon)
7:30 PM - RSVP
Space is Limited 


Recent Talks

Dan Wallach

STAR-Vote: A Secure, Transparent, Auditable and Reliable Voting System

Professor Dan Wallach
Rice University
Thursday April 27, 2017
Carson L01, 5:00 PM

Ben Miller Dragos

Pandora's Power Grid - What Can State Attacks Do and What Would be the Impact?

Ben Miller
Chief Threat Officer, Dragos, Inc.
Tuesday May 2, 2017
Kemeny 007, 4:30 PM
Brendan Nyhan




Factual Echo Chambers? Fact-checking and Fake News in Election 2016.

Professor Brendan Nyhan
Dartmouth College
Thursday May 4, 2017
Rocky 001, 5:00 PM

Dickie George


Espionage and Intelligence

Professor Dickie George
Johns Hopkins University
Thursday May 11, 2017
Rocky 001, 5:00 PM

Dan Wallach

A Nation Under Attack: Advanced Cyber-Attacks in Ukraine

Ukrainian Cybersecurity Researchers
Thursday April 6, 2017
Oopik Auditorium 5:30 PM

ISTS Information Pamphlet



Institute for Security, Technology, and Society
Dartmouth College
6211 Sudikoff Laboratory
Hanover, NH 03755 USA

Internet Control Message Protocol (ICMP) Unreachable Message Metering

Project Summary

An attacker often selects a target machine only after broad scans to identify all vulnerable machines within a certain range of IP addresses. Unfortunately, current network routers often obscure scanning activity, since the routers will drop any scanning traffic directed toward a machine that does not actually exist. With this “loss” of scanning traffic, it is much harder for a security analyst to identify the scan in the first place or understand its scope. At the same time, however, routers do generate error messages (ICMP Unreachable) when traffic is directed at nonexistent machines. By collecting these error messages, IRIA can provide security analysts with a much better view of scanning activity, allowing them to detect impending attacks that they might otherwise miss.

The project demonstrated the feasibility of using ICMP error messages (which are easily collected and, since they do not reveal significant data about any target network, are easily shareable) as a means to detect scanning activity in general and propagating worms in particular. Under realistic simulation, the system was able to detect propagating worms within a few seconds of their launch using only a small number of instrumented routers, while a small real-world deployment confirms the system’s detection potential. Although we are continuing with a larger deployment and further algorithm refinements, the system could be deployed “as-is” in an early-warning or other computer-operations center that was willing to work closely with ISTS personnel during the deployment.

  • Project Leads: Robert Gray, Susan McGrath
  • Documentation:
    • Simulating Realistic Network Worm Traffic for Worm Warning System Design and Testing [PDF Format]
    • Designing a Framework for Active Worm Detection on Global Networks [PDF Format]
    • Using Sensor Networks and Data Fusion for Early Detection of Active Worms [PDF Format]
    • Early Detection of Internet Worms [MS PowerPoint]
    • Active Internet Worms and the Dartmouth ICMP BCC: System [HTML]
    • Early Detection of Internet Worm Activity by Metering ICMP Destination Unreachable Activity [PDF Format]